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Introduction to Test Project 


This Test Project proposal consists of the following document ffile: 
e  LKSN2019 ITNETWORK MODUL C.pdf 


Introduction 


You are the IT consultant responsible for LKSNSMK in DIY. You have to build and configure the network for 
the LKSNMK in DIY, which consists of a new domain LKSNSMK.net, implement features for the LKS and 


WSC, policies and file services. 
This project several components, you need to: 


1. Build a new domain (LKSNSMK.net) 
2. Maintain connectivity and access to resources between the LKS and the WSC. 


3. Setup a new site-to-site connection 


NOTE: 
e  Referto the diagram on the last page for guick specification reference, as well as the configuration 


table. 

e Please use the default configuration if you are not given the details 

e Alllocal and domain users on ALL machines should have a password of "P@ssw0Ord" unless 
otherwise specified. 

e#  Pre-supplied machines that the competitor needs to logon to will also be pre-configured with this 


password. 
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Work Task all VMs 


e  Configure the hostname, network settings as per configuration table/network diagram. 
e  Modify the default Firewall rules to allow ICMP (ping) traffic. 


PART 1 — LKS ZONE 
Work Task LKS-SRV 


Active Directory 
e  Configure this server as the initial domain controller for LKSNSMK.net 


e  Configure DHCP for the clients 

e Mode: Load balancer 

e Partner Server: LKS-FILES 

e State Switchover: 10 minutes 

e Range 172.16.0.150-180 

e Set the appropriate scope options for both DNS servers and default gateway 


e  Configure DNS for LKSNSMK.net 
e Create areverse Zone for the 172.16.0.0/24 network 
e Add static records for LKS-SRV, LKS-FILES and LKS-RTR. 


Users/Groups 


e Create OUs named "Expert", "Competitor", "Manager" and "Visitor" 
e Create the following AD groups: 
o LKS-Experts 
o LKS-Competitors 
o LKS-Managers 
o LKS-Visitors 
e Create the users from the CSV file LKS-Users.csv (cNLKS-Users.csv) on LKS-SRV VM. 
o Fillup all fields in the Active Directory user object and add the users to the corresponding 
LKS-xx groups and OUs 
e Create for every user a home drive in on LKS-FILES d-Ishareslusers. 
e Connect the home drive automatically to drive 
U: - NLKS-FILES.LKSNSMK.netlusers$Ybusernameb 


NOTE: 


o This is a reguired list of users, groups and OUs that have to be created in the domain. If you 
believe that you should create additional users/groups to perform the tasks you can create them. 

o If you are unable to do import all the users from the Excel file create at least the following users 
manually 
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Username/Login Password Domain 

test expert P@ssword LKS-Experts 

test competitor P@ssword LKS-Competitors 
test manager P@ssword LKS-Managers 
test visitor P@ssword LKS-Visitors 


GPO 


e Disable "first sign in Animation" on all Windows 10 Clients 
e Members of the LKS-Experts group must be members of the local admin group on all Windows 10 
computers in the domain 
e Disable Recycle Bin on the Desktop for all domain users except users in "LKS-Experts" Group and 
domain administrators 
e Disable changing the screen saver for all domain users except users in "LKS-Experts" Group and 
domain administrators 
e Disable changing the background picture for all domain users except users in "LKS-Experts" Group 
and domain administrators 
e  Redirect (Folder redirection) only for all users in the Expert group "my Documents" and the 
"Desktop" to LKS-FILES --5 d:I/sharesiredirected 
o Share path: NLKS-FILES.LKSNSMK.netiredirectedsusernameo 
e Create afine grained password policy reguired 7 character non-complex passwords for regular 
users, 8 characters complex password for members of the LKS-Experts group 
o Disable “enforce minimum password age” 
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Work Task LKS-FILES 


This will be the primary file server for the LKSNSMK.net domain, but will also provide redundancy for other 
network services, including DHCP. 


Install/Configure 


e Add new disk 10 GB, map it on drive D: 
e Join to LKSNSMK.net domain 


Shares 


e Create shares for departments (Competitors, Experts and Managers) 

6 on LKS-FILES 5 diisharesidepartments 
o NLKS-FILESIExperts » disharesidepartmentsiExperts 
o NLKS-FILESICompetitors » disharesidepartmentsiCompetitors 
o NLKS-FILESIManagers » d-/sharesidepartments/Managers 


DFS 


e Create a Namespace with the name “dfs” 
e Add LKS-SRV as the second server for this Namespace 
e Create DFS links for the department shares (Experts, Competitors, Managers) 
e Create a DFS Replication to implement a backup of the department shares on LKS-SRV. The 
shares should be replicated/backed up like this: 
o  LKS-FILES: DisharesidepartmentsiExperts D5 LKS-SRV: CibackupiExperts 
o  LKS-FILES: DiNsharesidepartmentsiCompetitors 5 LKS-SRV: C“ibackup/Competitors 
o  LKS-FILES: Disharesidepartments/Managers 5 LKS-SRV: Cibackup/Managers 
e Map the department shares and have full access depending on the corresponding group (LKS- 
Experts, LKS-Competitors, LKS-Managers) to drive G: using the DFS Namespace 


e Install and configure DHCP 

e Mode: Load balancer 

e Partner Server: LKS-SRV 

e State Switchover time: 10 minutes 


Ouota/Screening 


e Set the guota to every home drives to 5GB 
e Prevent storing .cmd and .exe files on the home drives. All other file extensions are allowed! 


Customized error messages 


e Make sure that unauthorized users get the following error message, when they want to access one 
of the three department shares (Experts, Competitors and Managers) they are not allowed to! 

o Expert share: 
n Error message: “Access only for EXPERTS allowed” 

o  Competitor share: 
" Error message: “Access only for COMPETITORS allowed” 

o Manager share: 
n Error message: “Access only for MANAGERS allowed” 
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Work Task LKS-CLIENT 


Configure 


e Join the client to the LKSNSMK.net domain 
e Use this client for testing the GPO settings 


Date: 13.02.19 Version: 1.0 


LKSN2019 ITNSA O WorldSkills International Pet 





N 


Part 2 —- WSC ZONE 
Work Task WSC-SRV 


This server is used for Published Applications in the WSC domain. 


Active Directory 


e  Configure this server as the initial domain controller for WSC.net 
e Create OU named RDS and twousersrds user1 and rds user2 


e Create www and rds records for WSC.net 


Install Enterprise Root CA 
Name: WSC-ROOT-CA 
Lifetime: 5 years 
Configure a template for all clients called "Skills39 WSC Clients" 
o Set the "subject name format" to Common Name 
o Auto enroll this template to all WSC.net Windows 10 Clients 
e Create the necessary certificates for the WSC websites on WSC-SRV 


IIS 


e Host www.WSC.net website 
e Add index file to show “Improving Our World with the Power of Skills” 
e This site should use https using certificate approved in WSC CA 


Remote Desktop Services 


e Install Remote Desktop Services 
o Donot install RD Licensing component. 

e  Configure web-access for terminal services. 

e The RDS login page should be accessible by entering the URL https://rds.WSC.net 

e On the WSC-SRV server, generate and use the corresponding SSL certificate for terminal services. 
Apply this certificate for all components of the terminal services. When connecting to the website 
https://rds.WSC.net from any computer in the WSC domain, the certificate must be trusted and 
valid (no certificate warning should be shown). 

e Make sure, onlyusers rds userl andrds user2 are able to login via RDP. 

e Publish Wordpad on the web-portal of RemoteApp for the domain user rds user1 

e Publish Notepad on the web-portal of RemoteApp for the domain user rds user2 
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Part 3 —- VPN 


In Part 3 you have to setup Site-to-Site VPN between LKS network and WSC network. 


Work Task WSC-RTR 


Install/Configure 


e Join to WSC.net domain 
e Install RRAS service 


Site-to-Site VPN 
Configure Site-to-Site VPN to LKS-RTR 
Use pre-shared key P@sswird for the authentication 


Set the connection type to persistent connection 
All traffic bound for LKS will be placed in the VPN tunnel 


Work Task LKS-RTR 


Install/Configure 


e Join to LKSNSMK.net domain 
e Install RRAS service 


Site-to-Site VPN 

Configure Site-to-Site VPN to the WSC-RTR 

Use pre-shared key P@sswird for the authentication 
Set the connection type to persistent connection 

All traffic bound for WSC will be placed in the VPN tunnel 


Remote access VPN 


e  Configure VPN for client access. 
e Use the IKEv2 protocol and make sure authentication is done by client certificate 
e Use the IP range 192.168.0.50 — 192.168.0.79, DNS: 192.168.0.1 
e The VPN clients should have access to all internal networks (LKS and WSC) 
Work Task COMPETITOR 
VPN 


e  Configure the VPN client settings for all users on this computer 
e Add a VPN connection name WSC-VPN 
o Connect the VPN using the public IP WSC-RTR 
o Use IKEv2 protocol with machine certificate authentication 
e Use this client for testing with access to the https www.WSC.net 
e Jointo WSC.net domain 
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CONFIGURATION TABLE 


Operation OS 
WSC-SRV Windows Server | wsc.net 192.168.0.1724 1 192168.0.254 | Yos 
2016 cu 
| 192168.0.254/24 | NIA 
WSC-RTR Windows Server | wsc.net Yes 
2016 no cu 11.1.2/24 
LKS-SRV 2 LKSNSMK.net | 172.16.0.1/24 172.16.0.254 


LKS-FILES Windows Server | | KSNSMK.net | 172.16.0.2/24 17216.0.254 | Yes 
2016 cu 
17216.0.254/24 | N/A 

LKS-RTR Windows Server | | KsNSMK.net vas 
2016 no cu 4 1.1.1/24 


LKS-CLIENT | Windows 10 LKSNSMK.net | DHCP 172.16.0.254 
COMPETITOR | Windows 10 WSC.net 1.1.1.100/24 





Machines indicated as being preinstalled with "Yes" will have the operating system installed. 
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